iOS 9.3.1 Security Flaw Allows Access to Contacts and Photos Without Password

A newly-discovered iPhone security flaw, that bypasses the device’s password to allow access to contacts and photos, surfaced yesterday and has been making the rounds on the internet ever since. In a video posted yesterday, Youtube user Jose Rodriguez, who discovered a similar flaw last September, displays a walk-through of the current exploit.

Update: According to The Washington Post “An Apple spokeswoman confirmed that the bug was fixed Tuesday morning. Most consumers should have a fix in place — without the need for a software update.” To learn more about the original flaw and to see it exploited in action, continue reading below.

The flaw, which only affects the 3D Touch-enabled iPhone 6s and 6s Plus, allows users to use Siri to initiate a Twitter search – when the search results contain contact data, the user can use a 3D Touch gesture to bring up the “Add to Existing Contact” option, allowing the user to access the contacts and photos (via attempting to add a photo to the contact) without ever entering the lock screen password.

In his video, Rodriguez demonstrates the exploit with ease and the exploit has been successfully reproduced by AppleInsider and Mike Wehner of The Daily Dot. However, Wehner did note that his iPhone “repeatedly asked [him] to enter [his] passcode after [he] asked it to search Twitter.” But the exploit did work “seemingly at random”, and was then reproduced reliably after several tries.

Although Apple has yet to address the issue, they are usually reasonably quick in patching such exploits. In the mean time, there are several steps you can take to protect yourself from anyone taking advantage of the flaw.

Users can disable the “Siri” option in their Twitter app settings, disable Siri’s access to photos by navigating to Settings > Privacy > Photos and toggling the Siri switch, or for added security, users can disable access to Siri from the lock screen entirely by navigating to Settings > Touch ID & Passcode and toggling the Siri switch.

The exploit only works on iPhone 6s and 6s Plus devices running the latest version of iOS – iOS 9.3.1, which was released to the public just last week. Until Apple releases an official patch to the exploit, iPhone 6s and 6s Plus users running the latest version of iOS are advised to take the precautions noted above to protect their devices from nosy people.

Learn More: iOS 9.3 Is the Most Stable Operating System Release in Circulation